Posted
by
timothy
on Saturday August 07, 2010 @08:19AM
from the here-you'll-like-this dept.

CWmike writes "Taking a page from rival Google's playbook, Mozilla plans to introduce silent, behind-the-scenes security updating to Firefox 4. The feature, which has gotten little attention from Mozilla, is currently 'on track' for Firefox 4, slated to ship before the end of the year. Firefox 4's silent update will only be offered on Windows, Mozilla has said. Most updates will be downloaded and installed automatically without asking the user or requiring a confirmation. 'We'll only be using the major update dialog box for changes like [version] 4 to 4.5 or 5," said Alex Faaborg, a principal designer on Firefox, in the 'mozilla.dev.apps.firefox' forum. 'Unfortunately users will still see the updating progress bar on load, but this is an implementation issue as opposed to a [user interface] one; ideally the update could be applied in the background.' Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update."

to be honest, I'm not so worried about this - its only a browser, and I install all those security updates anyway. What I'm not so keen on is the "silent, in the background, don't bother the user" implementation. I'd like to know that it is doing it, pop a little UI element on the status bar that says "updating latest version now" and then gets on with it, and then puts a little version marker somewhere so I know its been done.

Be polite to your users, be open in your communication, inform us. (and a link to the things that were fixed if you click the version number would be a nice to have)

In fact, I welcome this update! It was hard enough getting those less-than-savvy relations to use Firefox, but even getting my WIFE to update FF is a chore. Automatic updates for these folks will be especially welcome. It's depressing to be on the cutting edge of FF public releases only to visit your mother and find she's still running FF 2.0.17 and has been ignoring the update suggestions forever.

Can you name five security updates in the last two years that actually broke functionality for you? Not that my installation base is that huge, but I can think of maybe two updates out of hundreds where some level of functionality was actually lost to the average user.

At first I also thought that this is an annoying move, but then your post made me realize that my family is the same. Each time an update window appears they want me to come over and see what is it because they don't know and "Do you want to update?" is just as alien to them as "would you like to polarize the photon deflectors now?"

I welcome this change now that I have realized what it truly means. As long as there is a fairly easy way to enable the nagging screen if you want it, then I won't mind it being

So far computers aren't intelligent, nor smarter than their users (despite opinions to the contrary), they generally pick the worst time to try to do updates.

There currently isn't a way for a computer to predict when it's getting in your way (hint, right at boot-up is the worst time, as I turned on the computer to get something done). Until then, there should be a clear indication it WANTS to update, with user ability to postpone for a specified period without distraction/interference.

A better method would be for the OS to have an updating control, like on the Windows task bar, with progress meters for various software, with controls to aborting, pausing without anything hidden/secretive/subversive/untrusted.

Sure, give the users the ability to have background updates for those who prefer it, even provide an OS control so that you don't have to tell each individual piece of software that's your preference, that would be great. Thankfully Firefox is not inhibiting user control--yet (or I'd

This is smart thinking. The process should be easy but not invisible. I like that Chrome does a lot of things easily, but don't like that I don't know about those things. It leads to the sudden "this thing doesn't work anymore" syndrome where things break with no seeming reason.

That said, I hate that Firefox has to be restarted to install add-ons. Things like that aren't good enough. I should be able to install the add-on and use it immediately.

Maybe a Check Box that states, "I don't want to see this message again", would be useful? And the programming to do it is relatively straight forward.

Openness of Communication has been the Fan and Light for the "Smoke and Mirror" types out there. This simple fact acts like a salt on an open wound to every "Secret by Silence" business model I have been exposed to. I proudly state to BSOD victims that one of the most successful aspects of Openness is that the bad guys are shut down in to two to three wee

I HATE Google doing this! In fact, I ripped out Picassa and Chrome on my Mac because of these silent updates. I don't have a problem if this was a configuration option set on during install that I could turn off, but it isn't. Since Firefox will allow it to update in the traditional manner, I'm fine with that, but I HATE it being done silently in the background!

I have found that there is a way to block Google's silent update on a Mac, it basically requires creating an empty file in a certain directory

If things break, users probably won't be able to fix them without calling someone for help. It's easy enough to check whether there has been an update.

My mom, for example, frequently fails to tell me of important events like software updates when things stop working. Instead she just tells me that "the Internet stopped working today" and other vague things like that. I have to dig to find out that she upgraded such and such, or disabled this or that.

So I say either you are savvy enough to turn off silent updates, or at least check to see if there's been an update, or you aren't savvy enough for knowledge of updates to be useful to you directly.

No; the more computers act like magical black boxes, the easier it becomes using them. It becomes harder to fix them, if you don’t understand how the black box works.

Ideally I want to understand it. But for day-to-day use, I’d just assume forget, in a practical sense, that I know about it, and treat it like a magical black box. As long as it does what I want and expect, I’m satisfied. If it doesn’t, or if my expectations change, I have the knowledge to figure out what’s wrong o

Most users need to know when something has changed so they can associate any potential breakage with the correct event.

Most users are complete dunderheads when it comes to anything resembling logic. They don't associate anything with anything. Giving mental ammunition like information to someone who's mental weapon is a broken slingshot is rather pointless. But giving them something that will automatically protect them in the VAST majority of real world use cases, is a great idea, and far more valuable than

Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does. But for my sister, my dad, my great aunt and all these people that think i'm their personal helpdesk, this is perfect. I've seen so many family members who had 2 year old browsers and stuff...

Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does.

Fortunately, you (or someone or collection of persons you trust) have the source, can build it, use it, and redistribute it. Thus, you don't *have* to use the software with silent update functionality, even if you keep using the browser itself. (though you'll lose the branding; call it "iceweasel" perhaps;)

Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does.

Fortunately, you (or someone or collection of persons you trust) have the source, can build it, use it, and redistribute it. Thus, you don't *have* to use the software with silent update functionality, even if you keep using the browser itself. (though you'll lose the branding; call it "iceweasel" perhaps;)

And what percentage of Windows boxes even have a compiler installed, much less a user who know how to use it? Are you really going recompile by hand everytime you get an update? Yeah, I thought so.

Yes. Silent updates suck. Well at least, for people that want to control their own computer, it does. But for my sister, my dad, my great aunt and all these people that think i'm their personal helpdesk, this is perfect. I've seen so many family members who had 2 year old browsers and stuff...

There's a lot of truth here.

Often the only updates that happen are automatic or silent. If they aren't automatic they typically don't happen. The silent updates that I speak of are when geeks like me do it for their

Bullshit? "Force"? Then what part of "Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update" did you not understand?

I don't mind if the browser asks. It looks like they are going to default to silent updates unless you change the setting. They only way I can see this as a bad idea for the non-techinical user is in the case where Mozilla screws up and a patch hoses up the browser or operating system itself (and don't act like that can't happen because it has for other software, even if it wasn't Mozilla that did it, it could still happen.)

FTA (bolding mine):

Firefox 4's silent update will only be offered on Windows, Mozilla has said.

Most updates, including all security updates, will be downloaded and installed automatically without asking the user or requiring a confirmation, said Alex Faaborg, a principal designer on Firefox....

Unlike Google, Mozilla will let users change the default silent service to the more traditional mode, where the browser asks permission before downloading and installing any update.

Some take exception to their software installing stuff (even updates) without their express permission (or request), or to software refusing to run until it is updated (MS's IM client does this, or so I'm told). There are a number of reasons why you might want to hold back on an update - perhaps you are a dev who want to keep old versions around for testing how their pages work in older versions that have certain issues, or perhaps you just prefer to hold back a day or so to make sure there are no massive b

Also (missed this from my previous post) I don't want my browser deciding it want to download an several Mb update while I'm connected via a very slow cellular connection (i.e. GPRS in area with no 3G or wifi coverage) trying to get something done with what little bandwidth is available in such circumstances.

There is a potential security issue too: what if someone manages to hack Mozilla's DNS to point to a malicious site pretending that there is an update (which introduces malware)? I hope they are planning on properly signing and verifying updates to deal with this possibility.

Do you want Firefox to be updated automatically?(x) Yes, check for updates and install automatically (recommended).( ) No, notify me but I will decide to install updates myself.( ) Do not check for updates (not recommended).

Note: with automatic updates, you will still be asked for permission to instal major updates.

This isn't really limiting their choices, it's just requiring them to take a step to opt out if they like. Sort of like the move to automatically enrolling people in their companies 401k unless they opt out. Since most people do opt in or at least want to do it, doing so gives most people what they want without having to do any work. Those that don't want to have ample time to opt out if they choose to.

And sometimes it is the appropriate thing to do. Sane defaults dictate that sometimes the default be in

Being able to deny an update adds another layer of security to users' computers...

No, it does not. At least not on the net average. For you or I? Sure. But my mom and dad, my sister and her boyfriend, the kids I used to work with all use Firefox. And their reliability is nonexistant. If it asks them for permission, half the time they say ok. If it pops up when they're trying to type something, they close it and ignore it.

If Firefox never pops anything up, but stays updated, that's a huge step up in security for the majority of users. If they can be trained NOT to just click 'OK' on dia

Communism and capitalism are two sides of the same coin, and the whole coin is morally neutral. The problem comes when you let greedy, sociopathic tyrants flip the coin... then it becomes a matter of which terrible outcome you get, not whether you get one.

I get more complaints from family and friends about "slow computers" than anything else, and usually these are all about silent background updates in the end. It's damned near impossible to explain to someone that's not computer literate what and update is, how it's affecting their computer, why it's necessary that the update gets installed, etc. They don't even know what Firefox is ("You mean my Internet?") much less any of the other things. Even my wife struggles to comprehend why there's always an update running; she tends to think I'm lying or dismissing her concerns. Every single application running on her computer does silent background updates:

Another background process running automatic updates each and every icon in the tray and for each and every folder and application in the Start menu, as well as for browser plugins, third party configuration tools/extensions, drivers, etc.

At the very least they should try to display a notification somewhere on the screen saying "Updating XYZ, may slow your computer..." each time they do this, rather than silently saturating an internet connection (as 10 different updaters are in competition with one another), a CPU, and/or a hard drive's activity.

I installed the nvidia driver on my Linux system from the rpmfusion repository. When I run "yum update", yum updates both normal Fedora updates and nvidia driver updates. I could even configure yum-updatesd to update all packages without me even noticing.

Why can't it be this simple on windows? Windows update on Vista/Win7 is okay for updating microsoft software. Now if only third parties could add their own 'repositories' to windows update, this would make updating a lot easier, and computing a lot safer.

Now if only third parties could add their own 'repositories' to windows update

How much would Microsoft and Microsoft's certificate authority partner (that is, VeriSign) charge third-party application publishers for such a service? And how would developers of Free applications for Windows be able to afford it?

You forget that browser updates matter. And, in theory, OS security updates should as well. So let's not say that silent updates are not ideal for all cases. They're not ideal for stupid and silly apps that you shouldn't be supporting any way (woops, broke the rule of not bashing useful but bloated apps -- kill me!; woops, did it again!)

Hopefully Windows (Microsoft) will implement a repository system like in Linux distros. There's no reason to have EACH program run an updater for itself. Or, if you don't like the Linux example think of Apple app store....

Linux can do that because virtually all the software is free either pricewise or GPLed. In which case most of those people are thrilled to have somebody else picking up the tab on the distribution and advertising. In the Windows world, that's not really the case. Much of it is commercial software and the freeware and opensource stuff is so numerous that I doubt MS is interested in taking on the responsibility and cost of hosting those files.

What the hell are you talking about? OSX does NOT have a central repository for updating programs. I get spammed only a bit less than windows for updates to the various programs I have installed on OSX. If you're talking iPhone specifically, then you're talking about programs which Apple distributes being updated by Apple. This is not what is being talked about here - these are programs that are distributed by a large number of companies, being updated by those companies specifically. And that's the problem

Is your solution to have Microsoft distribute all the windows programs in the world?

No, but it could distribute or _facilitate_ the distribution for the most common programs. I don't expect my Linux distro to distribute all the programs available on Linux but I'm happy with the 20k+ that it does distribute, among them Firefox and Chrome, neither has to use computer resources to check separately if there's an upgrade available. I get Chrome as soon as is released, Firefox usually takes a while until is packaged for my distro.

Poor, poor, pitiful Microsoft.. can't be bothered with the cost of maintaining a repository of trusted and tested programs, like the fat cat big spenders on the Linux distro world.. but it's ok, their other approaches to security are working so well.. Don't kid yourself, that it's a "cost" issue, or am issue of "too many" applications.. The REAL REASON they don't follow suit with a repository system, is that there are whole industries built around the system they have.. Thousands of little Dutch boys would

It doesn't need to have a repo system. It just needs to have a standard protocol for installation and update. Programs, once installed, can register with the update service, point Windows to the update URL source and then when there's an update, Windows can do it all in one batch.

Signed with a certificate issued by whom, purchased with what money? A company like Mozilla Corp could afford it, just as it can afford the Authenticode certificate to digitally sign Firefox Setup, but individual hobbyist developers of freeware and free software likely can't spare 200 U.S. dollars per year plus whatever their state charges to form a business entity.

This is why i hate that OSes... well, Windows, hasn't got a decent package manager.

Auto updates could easily be handled through a single program for the entire OS.All you do is just add to a file or registry item where the URL is, current version number, date / frequency of check and an optional "where to extract this to" for non-install archives.Then you can make whatever damned EXE you need to make for doing updates then, whether it is Chromes silent updater or a Windows updates.Windows Task Manager != an

There is a solution to that, but the Windows implementation that I've seen was downright dreadful. (Well, the one that works for third-party software...)

Have all applications register with an updater program that checks for updates when the machine is idle.

The problem is, there's two choices I've seen: Windows Update, which is really just for Microsoft software (but works fairly well for that,) and InstallShield Update Manager, which is great in theory... but in practice, it doesn't respect settings to not

Can you recommend an easy-to-understand user interface to configure the updater to disable itself when on a pay-per-bit connection to the Internet yet reenable itself when on a less strictly metered connection (such as a home LAN or a restaurant hotspot)?

At the risk of being/. assassinated, I have to say that I agree with this. Particularly because it is possible to disable such a feature.

Non-techie people don't get a thing about browsers, updating, security, etc. The medium-techie usually want to be all updated, so will update to even RCs and Betas if they find them out. Techie guys, us, do whatever they want, but I believe that they want to be in control and know what's going on -- thus, they'll disable such feature.But especially for the non-techies, this is a way of getting free security upgrades. The upgrades will probably be carefully chosen so that there are no compatibility issues -- and if there are, non-techie to medium-techie users won't care that much.

All in all, it is good for people who don't care, and enables us who care to keep things the way we want it.

I won't disable automatic updates, but I will disable silent automatic updates. When something stops working, I generally look at what has changed. If I don't know what to look at, it makes things very difficult to debug.

I wonder how this will get around UAC, a substantially annoying feature of Windows Vista/7. Will they be installing firefox to the user's home directory? Will it be sand-boxed from the OS? I admit I haven't done much looking into the pre-release so I apologize for any ignorance I might be showing.

How is an extra service, with admin and network access rights and intent on modifying/program files/, safer/better?

The updater service can be audited separately because it is a much smaller program than Firefox itself. After the main app has finished downloading the update package to the Local Settings folder in the user's home directory, it starts the updater service. The updater service itself does not connect to any network; all it does is verify the digital signature of the update package and then replace the executable with the updated copy. I don't know how Windows ACLs work in depth, but if the updater runs as a

Nah, little Snitch will tell me. I really do hate that Google Chrome feature; just when I least expect it one of the Google background processes is for no apparent reason trying to connect to certain sites.
Makes me wary, even if for the right reasons some software tries to sneak in any update without telling me. Even Apple gives me more freedom there.

I'd love to be able to actually deploy and maintain Firefox in the large enterprise that I work in. Users want it. Unfortunately, users don't have admin rights, and Mozilla makes applying updates and configuring the browser from a central location difficult and has a history of not thinking about and actively shooting down any proposals which would potentially benefit system administrators trying to support Firefox.

I saw the whole trainwreck (bugzilla bug 18574) unfold over several years. The libmng developers deserve medals for their effort - every time the goalposts were moved and they were ordered to make the library fit into an (intentionally) impossible small size, they actually did it.

Thanks for another useless, proprietary format that none of us can use, Mozilla. Open Web my fucking ass.

I don't normally run as administrator on my computers. I have installed Firefox as an admin., though, and I must use that account for updates. This is slightly annoying with Firefox because I get update nag notifications under my user account which can't be used to perform the updates. I don't always want to go through the hassle of shutting down my current session and switching accounts for the latest update. I hope this new feature can be turned off to avoid additional problems with the update process.

Wow, these companies are really shooting themselves in the foot when it comes to corporate adoption.

No right-minded SysAdmin would want this sort of thing in their environment. While I understand that you CAN turn it off, Im willing to bet (without caring enough to actually look), that they have neglected to add any security features that would prevent an end user from turning the "auto update" back on.

As a windows user I'd like to see a big player like Mozilla release a standalone updater that all the other software can use so every app doesn't have to check for updates on its own and use its own halfassed update method.

Silent updates is the reason why I received a 30 euro phone bill for a few minutes.

I was on holiday, and let a friend use my laptop and telephone to send an important email (it was party invitation, nothing more important than that). And of course... I forgot to displace all things that would silently try to update whatever they could when a network connection was found. Withing a short time, a few megabyte was downloaded. And mobile data from a foreign country is more expensive than HP ink.

So please mozilla, provide a nice toggle though the preferences screen to change this, an not through a about:config option.

That and these hidden updates could cause problems in the corporate world. Normally when browsers are updated I see vendors advising users to wait until the browser has been tested. That mostly applies to major updates, but any kind of update could patch a hole that a web application relied on - or introduce a new bug.

I assume that if it bothered you that much, you'd probably search for a way to turn it off. The summary did say that you will still know when the updates are being applied with a progress bar, it just doesn't ask you or go through a whole hullaballoo to install updates.

They have essentially reached the point of time when there was no competition (technologically, *) left, and interpreted the achieved stability as a stagnation. And that freaked them out and they set out to destroy themselves by screwing up what was working perfectly before.

Kidding. FireFox's focus was always a grandma type of user. The moment when they say goodbye to their tech savvy audience was ought to come and I believe it is upon us. It started in 2.x with some enhancements one couldn't turn off (

I realize this may seem like sacrilege on/. but IE8 plus an extension called IE7Pro (which despite its name works great on 8) gives Firefox a good run for its money. It's actually more secure in some important ways (sandboxing, ASLR), includes ad-blocking out of the box (set the registry key to enable InPrivate Filtering on every startup) and Flash filtering (under the Flash add-on options, delete the Use on sites: *.* then you can manually add sites when they request it) and while its JS engine is weak co